Subsonic Forum

[Schnip]

The Artist info is really great and beautiful but it results in mixed content warning when using ssl because subsonic includes links from last.fm directly. Would it be possible that the server fetches the artist info and then presents it to the client from "itself"?

[dest41]

bump on this point.
On 6.0 beta 1, the pictures of album info are fetched by unsecure HTTP even if subsonic is accessed via HTTPS.
e.g. http://img2-ak.lst.fm/i/u/3f47091dff854 ... 99b261.png
Firefox gives warnings like
Loading mixed (insecure) display content "http://img2-ak.lst.fm/i/u/3f47091dff85400ebd40beb14b99b261.png" on a secure page[Learn More] jquery-1.7.1.min.js:2:28617
GET http://img2-ak.lst.fm/i/u/3f47091dff854 ... 99b261.png [Mixed Content] [HTTP/1.1 200 OK 567ms]

and load the image anyway.
Mixed content seems bad (I'm not a security specialist though), so a solution would be to fetch all content by HTTPS but unfortunately, for img2-ak.lst.fm the certificate is for akamai, not lst.fm, giving a SSL error. Maybe there is a direct link with working SSL? Would be the easiest fix.

Or, as OP suggested, to fetch the image on the server-side, then save it and deliver it to the client. A bit heavy maybe.

[acroyear]

yeah, the only real resolution is to fix it on the server to proxy to last.fm for all media. Something like /rest/lastfm.view?url=<encoded last.fm url goes here> where the server would then decode the url, verify other parameters are correct for security reasons, verify the last.fm url is correct for security reasons (no reason to open this proxy to anything else) and return the image data from last.fm as bytes.

I was looking at https for SubFire and found that I had to remove rendering last.fm artist images because of that.

I don't think "mixed content" is bad...but browser makers are increasingly disagreeing and making it harder and harder to add exceptions to it.